Do I have to use mysql_real_escape_string if I bind parameters?

by

No, you don’t have to escape value yourself (i.e. no you don’t need to call mysqli_real_escape_string), when you are using prepared statements : the DB engine will do that itself.

(Actually, if you were calling mysql_real_escape_string and using bound parameters, your strings would get escaped twice — which would not be great : you’d end up with escaping characters everywhere…)

As a sidenote : your values are passed as integers (as indicated by the 'ii'), so you wouldn’t have to call mysql_real_escape_string, even if you were not using prepared statements : as its name indicates, this function is used to escape… strings.

For integers, I generally just use intval to make sure the data I inject into my SQL queries really are integers.

(But, as you are using prepared queries, once again, you don’t have to do that kind of escaping yourself)

More Related Contents:

  1. How can I prevent SQL injection in PHP?
  2. SQL injection that gets around mysql_real_escape_string()
  3. Shortcomings of mysql_real_escape_string?
  4. How can create Database using url or other method [duplicate]
  5. Problame with files on SQL
  6. Im trying to create some temporary tables in mysql using php
  7. How to include a PHP variable inside a MySQL statement
  8. How to apply bindValue method in LIMIT clause?
  9. Examples of SQL Injections through addslashes()?
  10. Achieve hierarchy, Parent/Child Relationship in an effective and easy way
  11. Is mysql_real_escape_string() broken?
  12. How to search for slash (\) in MySQL? and why escaping (\) not required for where (=) but for Like is required?
  13. I cannot get my login form to connect interact properly with mySQL database [closed]
  14. Do I have to guard against SQL injection if I used a dropdown?
  15. mysql_num_rows(): supplied argument is not a valid MySQL result resource [duplicate]
  16. Increment value in MySQL update query
  17. Do SQL connections opened with PDO in PHP have to be closed
  18. MYSQL Select from tables based on multiple rows
  19. How to execute raw queries with Laravel 5.1?
  20. How to convert ISO8601 to Date format in php
  21. MySQL skipping first row
  22. How to reverse order output of a MySQL query
  23. How do you do multiple SQL statements in one mysql_query?
  24. MySQL/SQL retrieve first 40 characters of a text field?
  25. Fatal error: Call to a member function query() on null
  26. how do I get month from date in mysql
  27. Updating column so that it contains the row position
  28. MYSQL select a piece of a string and order by that piece
  29. Aggregated query without GROUP BY
  30. PHP/MySQL Pagination

Leave a Comment